The GDPR and you – or the cost of poor security

Any discussion of some new piece of EU legislation might sound like a waste of time if you’re based in the US – or in the UK after the vote to leave the EU. But think again….

The General Data Protection Regulation (GDPR) applies to any company based, or doing business, in the European Union. It is a regulation introduced by the European Commission in April 2016 and is due to become law by May 2018. Put simply, it tightens the already stringent rules governing the way companies handle personal information, and imposes some mighty fines on those who fail to protect personal data properly. Organisations suffering a serious breach could be fined up to 4% of their annual revenues.

The law introduces various new aspects to data privacy, including an individual’s “right to be forgotten”, which means that organisations will have to review the ways in which they gather, store, process and share personal data in future.

What it should also do, though, is to make us focus also on how much personal data we actually need to store. Most privacy legislation, from the UK Data Protection Act of 1998 onwards, has established a principle that organisations should only store personal information for specific agreed purposes, and only for as long as the data is needed for that agreed purpose. In other words, it is unwise to start holding information for a long time “just in case it comes in handy”.

In fact, given how severe the fines can be for a data breach, organisations are safer keeping personal information as short a time as possible.

And the same goes for passwords. Many of the biggest data breaches have involved hackers stealing user’s passwords, first because it allows the hackers to access the breached account, but also because passwords tend to be re-used across multiple accounts. Hard-working hackers can therefore use the same key (password) to open a lot of locks.

And yet it is so easy to block this particular route. Add the user’s mobile phone as a second factor for authentication, and the password is no longer enough to access a user’s account. If the central system can send a one-time passcode to the user’s mobile phone, then only the person holding the user’s phone can get into the system.

Unless the hacker has stolen the user’s phone as well as their password, then they have no way of getting authenticated.

It is a simple measure, but extremely powerful. In the context of the GDPR, it not only provides vastly increased protection for the contents of a user’s account and personal details, but it removes the need to store other authentication details – mother’s maiden name, favourite teacher etc – that could also be used by a hacker to crack other accounts.

In other words, with fines this great looming from the legislators, it’s time to give up on old-style password protection and use the mobile phone to provide a simple and effective extra layer of security.